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Background of the Invention 
Field of the Invention 

The present invention relates to a packet relay 
processing apparatus optimizing a server which has a 
server load balancing control capability, a NAT (Network 
Address Translation) capability, a bandwidth control 
capability, a VPN (Virtual Private Network) capability, 
and a firewall service capability. 

Description of the Related Art 

With the recent popularization of the WWW (World 
Wide Web) , and packet communication services of e-mail 
and cellular phones, the Internet has been rapidly 
expanding. Because of this phenomenon, the demands for 
speeding up networks and for enhancing capabilities such 
as security, etc. have been rising. A current network 
service is normally implemented by a configuration 
composed of a server and a network connecting device 
such as a NIC (Network Interface Card) , etc. Since recent 
network services have been becoming complex, a platform 
implemented by a server is suitable in terms of being 
able to flexibly meet diverse and new demands. 

Fig. 1 shows the configuration of a conventional 



packet relay processing apparatus. The packet relay 
processing apparatus shown in this figure has a general 
configuration such that a server and network connecting 
devices implement services on a network. In Fig. 1, thin 
arrows indicate the flow of control information, whereas 
thick arrows indicate the flow of packet information. 

In this figure, the server 100 comprises a packet 
processing unit 101, service 1 to n processing units 
102, and service 1 to n controlling units 103. 

The service 1 to n processing units 102 perform 
session management and routing according to a policy 
set by the service 1 to n controlling units 103, and 
further perform service processes such as filtering, 
load balancing, etc. 

A packet that is input from a network via a network 
connecting unit 106 is transmitted to the packet 
processing unit 101 of the server 100 via any of the 
network connecting devices 104 and any of packet 
communicating units 105. Then, the packet is processed 
by the packet processing unit 101. 

Since the Internet has been quickly becoming 
larger in recent years, the amount of packets flowing 
on a network has been exhibiting an exponential growth. 
For this reason, the above described conventional server 
is almost unable to meet the requested processing speed, 



and a technique for speeding up the processing speed 
of a server is demanded. At the same time, it is desirable 
to lose the advantage of being able to integrate many 
services of a server as little as possible when creating 
a new platform. 

Summary of the Invention 

An object of the present invention is to speed up 
service processes of a server by arranging a process 
shared by many network services in a network connecting 
device . 

The present invention relates to a packet relay 
processing apparatus having a server and a network 
connecting device. 

To overcome the above described problem, 
according to one aspect of the present invention, a 
network connecting device, which configures a packet 
relay processing apparatus relaying a packet, comprises 
a session managing unit managing a session, and a packet 
processing unit relaying a packet based on the session 
management made by the session managing unit. 

With this configuration, the network connecting 
device performs a packet relay process based on the 
session management that a server conventionally makes. 
As a result, the load on the server can be reduced, 



thereby speeding up the service process performed by 
the server. 

Furthermore, in the above described configuration, 
the network connecting device may further comprise a 
routing table storing routing information about the 
routing destination of a packet, and a routing 
processing unit determining the routing destination of 
the packet at the start of a session based on the routing 
information. The packet processing unit outputs the 
packet to the routing destination determined by the 
routing processing unit. As a result, the consistency 
of a service process can be maintained for the session 
currently being continued, even if the routing 
information is changed during the session. Here, the 
server may comprise a network controlling unit, which 
registers routing information to the routing table. 

According to another aspect of the present 
invention, the network connecting device further 
comprises a server transferring unit in addition to the 
session managing unit and the packet processing unit, 
and the server comprises an external session managing 
unit. The session managing unit transfers session 
information about a session to the server based on a 
given condition. The external session managing unit 
within the server manages the session based on the 



received session information. As a result, it becomes 
possible to make the network connecting device or the 
server perform session management depending on a 
condition. 

According to a further aspect of the present 
invention, the network connecting device further 
comprises a session table storing information about a 
session, and a policy table storing a policy which 
describes a rule for applying a service for a packet, 
in addition to the session managing unit and the packet 
processing unit. Upon receipt of a packet, the session 
managing unit searches the session table by using 
information included in the packet as a search key. If 
corresponding session information is not registered to 
the session table as a result of the search, the session 
managing unit obtains a corresponding policy from the 
policy table by further using the information included 
in the packet as a search key, and writes session 
information to the session table based on the obtained 
policy. 

If corresponding session information is 
registered as a result of the search, the session 
managing unit manages the session information stored 
in the session table based on the state of the session. 
Also in this way, the consistency of a service process 



can be maintained for the session currently being 
continued, even if routing information is changed during 
the session. 

According to a still further aspect of the present 
invention, the network connecting device further 
comprises a process distributing unit, and a plurality 
of service processing units in addition to the session 
managing unit and the packet processing unit. The 
process distributing unit distributes a packet to at 
least one of the plurality of service processing units 
based on the contents of a service for the packet. The 
service processing unit to which the packet is 
distributed performs a service process for the packet. 

As a result, it becomes possible to make the 
network connecting device, which can perform a service 
process faster than a server, perform at least some of 
service processes that the server conventionally 
performs . 

Additionally, in the above described 
configuration, the process distributing unit may 
transfer a packet to the server based on a given 
condition. In this case, the server, which configures 
the packet relay processing apparatus relaying a packet, 
comprises an external service processing unit receiving 
a packet transferred from the process distributing unit, 



and applying a service for the packet. With this 
configuration, it becomes possible to make the network 
connecting device or the server apply the service for 
a packet depending on a condition. 

Furthermore, in the above described configuration, 
the server may further comprise a packet details 
analyzing unit determining the contents of a service 
for a packet by analyzing the packet upon receipt of 
the packet transferred from the process distributing 
unit, and setting the contents of the determined service 
in the network connecting device. After the contents 
of the determined service are set, the network 
connecting device processes subsequent packets based 
on the contents of the determined service. Namely, once 
a packet is analyzed by the server at the start of a 
session, the network connecting device processes 
subsequent packets based on an analysis result. 
Therefore, the load on the server can be reduced, and 
a packet can be processed faster. Also in this case, 
the consistency of a service process can be maintained 
for a session currently being continued, even if routing 
information is changed during the session. 

Brief Description of the Drawings 

The features and advantages of the present 



invention will be more clearly appreciated from the 
following description taken in conjunction with the 
accompanying drawings in which like elements are denoted 
by like reference numerals and in which: 

Fig. 1 shows the configuration of a conventional 
packet relay processing apparatus; 

Fig. 2 explains the outline of the present 
invention; 

Fig. 3 shows the configuration of a packet relay 
processing apparatus according to a first preferred 
embodiment of the present invention; 

Fig. 4 shows the structure of a transfer packet; 

Fig. 5 is a flowchart showing the process 
performed by a packet processing unit; 

Fig. 6 is a flowchart showing the process 
performed by a session managing unit; 

Fig. 7 exemplifies the configuration of a session 

table; 

Fig. 8 shows the state transition of a TCP session; 

Fig. 9 explains the state transition from the 
start to the end of a TCP session; 

Fig. 10 shows the state transition of a UDP 
session; 

Fig. 11 shows the configuration of a packet relay 
processing apparatus according to a second preferred 



embodiment of the present invention; 

Fig. 12 is a flowchart showing the processes 
performed by a session managing unit and an external 
session managing unit according to the second preferred 
embodiment; 

Fig. 13 shows the configuration of a packet relay 
processing apparatus according to a third preferred 
embodiment of the present invention; 

Fig. 14 exemplifies the configuration of a session 
table according to the third preferred embodiment; 

Fig. 15 exemplifies the configuration of a policy 
table according to the third preferred embodiment; 

Fig. 16 is a flowchart showing the process 
performed by a session managing unit according to the 
third preferred embodiment; 

Fig. 17 is a flowchart showing the processes 
performed by a process distributing unit and a service 
processing unit according to the third preferred 
embodiment; 

Fig. 18 shows the packet flow in a load balancing 
service after a policy search is terminated in the third 
preferred embodiment; 

Fig. 19 shows the configuration of a packet relay 
processing apparatus according to a fourth preferred 
embodiment of the present invention; 
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Fig. 20 is a flowchart showing the processes 
performed by a process distributing unit, a service 
processing unit, and an external service processing unit 
according to the fourth preferred embodiment; 

Fig. 21 shows the configuration of a packet relay 
processing apparatus according to a fifth preferred 
embodiment of the present invention; 

Fig. 22 exemplifies a session table before details 
of a packet are analyzed in the fifth preferred 
embodiment (No. 1); 

Fig. 23 exemplifies the session table before the 
details of the packet are analyzed in the fifth preferred 
embodiment (No. 2); 

Fig. 24 exemplifies the session table after the 
details of the packet are analyzed in the fifth preferred 
embodiment (No . 1 ) ; 

Fig. 25 exemplifies the session table after the 
details of the packet are analyzed in the fifth preferred 
embodiment (No. 2); 

Fig. 26 exemplifies the configuration of a session 
table for details analysis; 

Fig. 27 exemplifies the configuration of a policy 
table for details analysis; 

Fig. 2 8 shows the concept of operations of the 
packet relay processing apparatus according to the fifth 



preferred embodiment; 

Fig. 29 is a flowchart showing the processes 
performed by a process distributing unit, a service 
processing unit, and a packet details analyzing unit 
according to the fifth preferred embodiment; 

Fig. 30 is a flowchart showing the process 
performed by the packet details analyzing unit; 

Fig. 31 explains the operations of URL filtering; 
Fig. 32 explains the operations of a URL load 
balancing service; 

Fig. 33 explains the operations of FTP filtering; 
Fig. 34 shows the packet flow in a URL load 
balancing service before details of a packet are 
analyzed in the fifth preferred embodiment; 

Fig. 35 shows the packet flow in the URL load 
balancing service after the details of the packet are 
analyzed in the fifth preferred embodiment; 

Fig. 36 exemplifies the data configuration of a 
flag table; 

Fig. 37 shows the configuration of a computer; 

Fig. 38 explains a storage medium or a 
transmission signal, which provides programs and data 
to a computer; and 

Fig. 39 explains the loading of programs and data 
into a server and a network connecting device. 



12 



Description of the Preferred Embodiments 

Fig. 2 explains the outline of the present 
invention. In this figure, a packet relay processing 
apparatus comprises a server 1 and a network connecting 
device 2. According to the present invention, a packet 
processing unit and a session managing unit, which are 
conventionally arranged in a server, are arranged in 
the network connecting device 2 so that a packet relay 
processing unit is configured. With the packet relay 
processing unit, a packet relay process based on session 
management is performed in the network connecting device 
2 . 

Additionally, a process distributing unit 2c and 
a plurality of service processing units 2d are arranged 
in the network connecting device 2, so that the process 
distributing unit 2c distributes a packet to the 
plurality of service processing units 2d based on 
session management according to a policy set by the 
server 1 . 

Furthermore, an external session managing unit is 
arranged in the server 1. If the number of sessions 
exceeds the number registered to a session table of the 
network connecting device 2, session management can be 
made also by the server 1. 
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Still further, the packet relay processing 
apparatus can be configured in a way such that an 
external service processing unit is arranged in the 
server 1, the process distributing unit 2c transfers 
a packet to the server 1, and the external service 
processing unit within the server 1 is made to perform 
a service process . The packet relay processing apparatus 
can be configured also in a way such that a packet details 
analyzing unit is arranged in the server 1, which 
analyzes a packet to determine a service, and sets the 
contents of the determined service in the network 
connecting device 2, and thereafter, the network 
connecting device 2 performs a relay process for the 
same session based on the contents of the determined 
service . 

As stated earlier, according to the present 
invention, the above described object is attained as 
follows . 

(1) A packet relay processing unit , which is composed 
of the packet processing unit 2a and the session managing 
unit 2b, is arranged in the network connecting device 
2, so that the network connecting device 2 performs a 
relay process based on session management. 

As described above, the network connecting device 
2 executes capabilities that are conventionally 



arranged in a server, thereby reducing the CPU use ratio 
of the server 1. Additionally, the network connecting 
device 2 makes session management, and registers an 
output destination to the session table at the start 
of a session. As a result, the consistency of a session 
currently being continued can be maintained even if a 
routing table is changed during the session. 

(2) In the above described (1), an external session 
managing unit is arranged in the server 1 of the packet 
relay processing apparatus, and the network connecting 
device 2 transfers session information to the server 
1 depending on a given condition, so that the server 
1 makes session management. 

As a result, a session which overflows in the 
network connecting device 2 can be managed by the server 
1, even if the number of sessions exceeds the number 
which can be registered to the session table of the 
network connecting device 2. 

(3) In the above described (1), a process distributing 
unit 2c and a plurality of service processing units 2d 
are arranged in the network connecting device 2, so that 
the process distributing unit 2c distributes a packet 
to any of the plurality of service processing units 2d, 
and the service processing unit 2d to which the packet 
is distributed is made to perform a service process. 



As described above, the process distributing unit 
2c and the plurality of service processing units 2d are 
arranged in the network connecting device 2 that can 
perform, a process faster than the server 1, thereby 
reducing the CPU use ratio of the server 1, and speeding 
up a service process. 

(4) In the above described (3), an external service 
processing unit is arranged in the server 1, so that 
the process distributing unit 2c distributes a packet 
depending on a given condition, and the external service 
processing unit within the server 1 is made to perform 
a service process. 

As described above, a service process can be 
performed by both the network connecting device 2 and 
the server 1, whereby a service process that is difficult 
to be implemented on the network connecting device 2 
can be performed by the server 1, and also the case where 
a network service requires a complex process can be coped 
with. 

(5} In the above described (1), a process distributing 
unit 2c and service processing units 2d are arranged 
in the network connecting device 2, and a packet details 
analyzing unit (not shown) is arranged in the server 
1, so that the process distributing unit 2c transfers 
a packet to the server 1 depending on a given condition, 
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and the server 1 analyzes the packet to determine a 
service, and sets the contents of the determined service 
in the network connecting device 2, which performs a 
relay process for packets belonging to the session based 
5 on the set contents of the service thereafter. 

As described above, the server 1 analyzes a packet 
to determine a service, and sets the contents of the 
determined service in the network connecting device 2, 
and the network connecting device 2 performs a relay 

10 process for the same session based on the contents of 

the determined service thereafter. As a result, a 
service process can be performed faster in comparison 
with the case where the server 1 performs all of the 
service processes. 

15 Fig. 3 shows the configuration of a packet relay 

processing apparatus according to a first preferred 
embodiment of the present invention. As shown in this 
figure, a server 11 comprises a network controlling unit 
12. The network controlling unit 12 writes routing 

20 information input by an administrator to a routing table 

23a of a network connecting device 20 via a control 
information communicating unit 31. The control 
information communicating unit 31 is, for example, a 
PCI (Peripheral Components Interconnect) bus or a serial 

25 interface. 
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The network connecting device 20 according to this 
preferred embodiment is a device into which a plurality 
of network connecting devices 104 shown in Fig. 1 are 
integrated, and comprises a packet processing unit 21, 
a session managing unit 22, a session table 22a, a 
routing processing unit 23, and a routing table 23a. 
The network connecting device 20 performs a packet 
process, session management, a routing process, etc., 
which are conventionally performed by the server shown 
in Fig. 1. 

In Fig. 3, a packet input from a network is 
transmitted to the packet processing unit 21 of the 
network connecting device 20 via a network connecting 
unit 30. The network connecting unit 30 is, for example, 
an Ethernet (registered trademark) controller. Fig. 4 
exemplifies the structure of a packet in the case where 
the network connecting unit 30 is an Ethernet controller, 
As shown in this figure, a packet is composed of a header 
portion and a data portion. 

The packet processing unit 21 performs a process 
represented by a flowchart that is shown in Fig. 5 and 
will be described later, and transmits a packet to the 
session managing unit 22. The session managing unit 22 
makes session management as represented by a flowchart 
that is shown in Fig. 6 and will be described later, 
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and passes the packet to the packet processing unit 21. 

Then, the packet processing unit 21 processes the 
packet as shown in Fig. 5 to be described later, and 
outputs the packet to the network via the network 
connecting unit 30. 

Fig. 5 is a flowchart showing the process 
performed by the packet processing unit. 

As shown in this figure, the packet processing 
unit 21 buffers a packet input from a network (step SI) , 
and calculates a checksum (step S2) . Next, the packet 
processing unit 21 defragments the packet (step S3) , 
and transmits the packet to the session managing unit 
22 (step S4) . 

Then, the packet processing unit 21 fragments the 
packet transmitted from the session managing unit 22 
(step S5) , recalculates a checksum (step S6) , and 
outputs the packet to the network. Note that the process 
performed by the packet processing unit 21 is the same 
as that performed by a conventional packet processing 
unit . 

Fig. 6 is a flowchart showing the process 
performed by the session managing unit 22. 

As shown in this figure, when a packet is input 
to the session managing unit 22, the session managing 
unit 22 searches the session table 22a for the session 
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data corresponding to the packet (step Sll) . The session 
table 22a is a table storing session data for managing 
a session. Fig. 7 exemplifies the configuration of the 
session table 22a. As shown in this figure, session data 
5 includes as entries a session ID (IDentifier) for 

identifying a session, a session search key (destination 
and source addresses, destination and source ports, and 
a protocol) for uniquely determining a session, session 
state, an output destination, etc. 

10 In step Sll, the session managing unit 22 searches 

the session table 22a by using as a session search key 
information such as the source/destination IP address 
within an IP header of the packet, a protocol within 
a TCP header, a source/destination port, etc. 

15 If corresponding session data whose session 

search key matches the information within the header 
of the packet input to the session managing unit 22 is 
not registered to the session table 22a ("NO" in step 
S12) , this packet is the initial packet of a certain 

20 session. The session managing unit 22 therefore 

registers the session data of this session to the session 
table 22a (step S13) . Namely, in step S13, the session 
managing unit 22 writes the session search key 
(destination and source addresses, destination and 

25 source ports, and a protocol) , and the state of the 



session to the session table 22a shown in Fig. 6 based 
on the information within the header of the input packet . 

Then, the routing processing unit 23 searches the 
routing table 23a, and writes the output destination 
resultant from the search to the session table 22a (step 
S14) . 

If corresponding session data whose session 
search key matches the information within the header 
of the packet is registered to the session table 22a 
("YES" in step S12) , the session managing unit 22 
monitors the state of the session, and determines 
whether or not the state makes a transition (step S15) . 
If the state makes a transition ("YES" in step S15) , 
the session managing unit 22 rewrites the session state 
within the session table 22a (step S16) . 

If the state transition of the session terminates 
and the session is closed, namely, if the session state 
is TIME_WAIT and CLOSED ("YES" in step S17) , the session 
managing unit 22 deletes the session data of the session 
including the session search key, the session state, 
the output destination, etc. from the session table 22a 
(step S18} . Then, the processed packet is transmitted 
to the output destination. If the session state is not 
CLOSED ("NO" in step S17), the session managing unit 
22 does not perform the operation of step S18, and the 



processed packet is transmitted to the output 
destination. 

Determination of the above described station 
transition differs depending on whether a protocol is 
either TCP (Transmission Control Protocol) or a 
different protocol. Hereinafter, explanation is 
provided respectively for the TCP and the different 
protocol . 

Fig. 8 shows the states of a TCP session. As shown 
in this figure, six states such as CLOSED, SYN_RECV, 
ESTAB, FIN_RECV, FIN_SENT, and TIME_WAIT are set as the 
states of the TCP session. 

To the entry "session state" in the session table 
22a, any of the above described 5 states except for 
CLOSED is written as shown in Fig. 7. 

If a session is not registered, its state is CLOSED. 
Upon arrival of a SYN packet in this state, the session 
state makes a transition to SYN_RECV. At this time, the 
session managing unit 22 rewrites the entry "session 
state" of the session table 22a to SYNJRECV. Then, the 
session state makes a transition to ESTAB (Established) 
state in which a packet is transmitted/received. Upon 
arrival of a FIN packet, the session is terminated. 
Similarly, upon detection of the arrivals of SYN and 
FIN packets, the session managing unit 22 can detect 
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the start and the end of a session. 

Fig. 9 exemplifies the state transition from the 
start to the end of a TCP session. 

As shown in this figure, if a communication is made 
between a client and a server, the client first transmits 
a SYN packet. Then, the server returns a SYN_ACK packet, 
and the client transmits an ACK packet to the server 
in response to the SYN_ACK packet. As a result, the 
session state makes a transition from SYN to ESTAB. 
Thereafter, the client and the server exchange packets. 
When the session is terminated, for example, the client 
transmits a FIN packet to the server, the server returns 
a FIN_ACK packet to the client, and the client then 
transmits an ACK packet to the server in response to 
the FIN_ACK packet. In this way, the session is 
terminated (the session state makes a transition to 
CLOSED) . 

For protocols other than the TCP, SYN and FIN flags 
do not exist in a packet. Fig. 10 exemplifies the state 
transition of a UDP (User Datagram Protocol) session. 
If a packet belonging to a session that is not registered 
to the session table 22a arrives as shown in Fig. 10, 
the session managing unit 22 sets the state of the 
session to ESTAB. Since the end of the session cannot 
be detected, the session managing unit 22 terminates 



the session by deleting the session data from the session 
from the session table 22a if a packet does not pass 
through for a predetermined time period according to 
a timer. 

As described above, according to this preferred 
embodiment, the packet relay processing capability 
based on session management is arranged in the network 
connecting device 20, so that the capability that is 
conventionally arranged in the server 11 is implemented 
by the network connecting device 20, thereby reducing 
the CPU use ratio of the server 11. 

Additionally, the session managing unit 22 is 
arranged in the network connecting device 20, and an 
output destination is registered to the session table 
22a at the start of a session and packets belonging to 
the session are processed based on the registered 
information until the session is closed. As a result, 
the consistency of a session currently being continued 
can be maintained, even if routine information of the 
routing table 23a is changed during the session. 

Fig. 11 shows the configuration of a packet relay 
processing apparatus according to a second preferred 
embodiment of the present invention. The packet relay 
processing apparatus according to this preferred 
embodiment is an apparatus implemented by further 



arranging a server transferring unit 24 transferring 
session information to the server 11, a session 
information communicating unit 32 communicating 
session information, an external session managing unit 
13, and an external session table 13a in the packet relay 
processing apparatus according to the first preferred 
embodiment, which is shown in Fig. 3. When the session 
table 22a of the network connecting device 20 becomes 
full, the external session managing unit 13 arranged 
in the server 11 makes session management. The other 
operations are similar to those in the first preferred 
embodiment . 

Fig. 12 is a flowchart showing the processes 
performed by the session managing unit and the external 
session managing unit in this preferred embodiment. 

As shown in this figure, when a packet is input 
to the session managing unit 22, the session managing 
unit 22 and the external session managing unit 13 
respectively search the session table 22a and the 
external session table 13a by using the information 
stored in the header of the packet as a search key (step 
S21) . The session table 22a and the external session 
table 13a are tables storing information for managing 
a session, which are earlier explained with reference 
to Fig. 7. 
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If corresponding session data whose session 
search key matches the information within the header 
of the packet input to the session managing unit 22 is 
not registered to the session table 22a and the external 
session table 13a ("NO" in step S22) , this packet is 
the initial packet of a session. The session managing 
unit 22 therefore determines whether or not the session 
table 22a is full (step S23) . 

If the session table 22a is not full ("NO" in step 
S23) , the session managing unit 22 registers the session 
data of the session to the session table 22a as described 
above (step S24) . Then, the routing processing unit 23 
searches the routing table 23a, and writes a resultant 
output destination to the session table 22a (step S25) . 

If corresponding session data whose session 
search key matches the information within the header 
of the packet is registered to the session table 22a 
("YES" in step S22), the session managing unit 22 
monitors the state of the session, and determines 
whether or not the state makes a transition (step S26) . 

If the state makes a transition ("YES" in step S26) , 
the session managing unit 22 rewrites the state of the 
session in the session data stored within the session 
table 22a (step S27) . 

After the state transition of the session 



terminates, the session managing unit 22 deletes the 
session data from the session table 22a (step S29) if 
the state of the session makes a transition to CLOSED 
("YES" in step S28) . The processed packet is transmitted 
to the output destination. 

If the session table 22a is full when the initial 
packet of the session is registered ("YES" in step S23) , 
the external session managing unit 13 within the server 
11 performs a process similar to the above described 
one . 

Namely, as explained in the above described steps 
S24 and S25, the external session managing unit 13 
registers the session data of the session of the packet 
to the external session table 13a (step S30) , and the 
routing processing unit 23 searches the routing table 
23a, and writes a resultant output destination to the 
external session table 13a (step S31) . 

If corresponding session data whose session 
search key matches the information within the header 
of the packet is registered to the external session table 
13a ("YES" in step S22), the external session managing 
unit 13 monitors the state of the session within the 
external session table 13a, and determines whether or 
not the state of the session makes a transition (step 
S26) . If the state makes a transition, the external 
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session managing unit 13 rewrites "session state" of 
the session data corresponding to the session within 
the external session table 13a (step S27) . After the 
state transition of the session terminates, the external 
session managing unit 13 deletes the session data of 
the session from the session table 13a if the state of 
the session makes a transition to CLOSED ("YES" in step 
S28) . As described above, according to this preferred 
embodiment, the packet relay processing capability 
based on session management is arranged in the network 
connecting device 20, so that the capability that is 
conventionally arranged in the server 1 is implemented 
by the network connecting device 20. As a result, the 
CPU use ratio of the server 11 can be reduced in a similar 
manner as in the first preferred embodiment. 
Additionally, as in the first preferred embodiment, the 
consistency of a session currently being continued can 
be maintained, even if the routing information in the 
routing table is changed during the session. 

Furthermore, if the number of sessions exceeds the 
number that can be registered to the session table of 
the network connecting device 20, a session which 
overflows in the network connecting device 20 can be 
managed by the server 11. This is because the external 
session managing unit 13 arranged in the server 11 makes 
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session management. 

In the above provided explanation, the external 
session managing unit 13 is arranged in the server 11, 
which makes session management. However, only the 
external session table 13a may be arranged in the server 
11, and session management may be made by the session 
managing unit 22 of the network connecting device 20. 
Namely, a session which overflows in the session table 
22a may be registered to the external session table 13a. 

Fig. 13 shows the configuration of a packet relay 
processing apparatus according to a third preferred 
embodiment of the present invention. According to this 
preferred embodiment, a process distributing unit 26, 
service processing units 27, and a policy table 25 are 
arranged in the network connecting device 20. With this 
configuration, the network connecting device 20 
performs service processes such as filtering, load 
balancing, NAT, etc. according to a policy set in the 
policy table 20 by the server 11. 

As shown in this figure, a server 11 comprises a 
service controlling unit 14. The service controlling 
unit 14 writes a policy to the policy table 25 within 
the network connecting device 20 via a control 
information communicating unit 31. Here, a policy is 
a rule for applying a service such as filtering, load 



balancing, etc. By way of example, for the filtering, 
whether to discard or to pass a packet in the range of 
a policy search key is set based on a policy. For the 
load balancing, a virtual (representative) IP address 
and port number, and IP addresses and port numbers of 
servers at all of distribution destinations are set 
based on a policy . For the NAT, IP address and port number 
after being translated are set based on a policy. 

The network connecting device 20 according to this 
preferred embodiment comprises a packet processing unit 
21, a session managing unit 22 , and a session table 22a ' , 
similar to the first preferred embodiment. The network 
connecting device 20 further comprises the above 
described policy table 25, process distributing unit 
26, and service processing units 27. The plurality of 
service processing units 27 are arranged to support the 
types of services applied to a packet. 

According to this preferred embodiment, upon 
receipt of a packet, the session managing unit 22 
searches the session table 22a' for session data by using 
the information within the header of the received packet . 
If the session data indicated by the information within 
the header of the packet is registered to the session 
table 22a' , a process that is almost similar to the above 
described one is performed. 
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If the session data indicated by the information 
within the header of the packet is not registered to 
the session table 22a' , the session managing unit 22 
references the policy table 25, generates session data 
based on a policy to be applied to the packet, and stores 
the generated session data in the session table 22a' . 

The process distributing unit 26 determines a 
service to be applied to the packet based on the session 
data stored in the session table 22a', and distributes 
the packet to the service processing unit 27 
corresponding to the determined service. The plurality 
of service processing units 27 respectively perform 
processes required for services. 

The session table 22a T and the policy table 25 
according to this preferred embodiment are described 
below with reference to Figs. 14 and 15. Fig. 14 
exemplifies the structure of the session table 22a' 
according to this preferred embodiment. The session 
table 22a' is a table storing session data for managing 
a session as described above. Session data includes as 
entries a session ID, a session search key (destination 
and source addresses and ports, a protocol, etc.), a 
session state, an output destination, etc. In this 
preferred embodiment, session data further includes as 
entries an applied service type (filtering, load 



balancing, etc.), and service-specific information (a 
distribution destination address, etc.), consistency 
duration, an event flag, etc. in addition to the above 
described information entries. The applied service type 
indicates a service to be applied to a packet. The 
service-specific information indicates information 
specific to a service to be applied. For example, if 
the applied service type is load balancing, an address 
of a distribution destination is considered as the 
service-specific information. The consistency duration 
indicates a time period during which session data is 
held from the termination of a session. Namely, session 
data is not deleted from the session table 22a r despite 
the termination of a session until the consistency 
duration elapses. The event flag indicates whether or 
not to record a log of a packet or the header of a packet. 
If the event flag is ON, a packet or the header of a 
packet is transferred to the server 11, which records 
the log of the packet or the header of the packet. 

Fig. 15 exemplifies the configuration of the 
policy table. The policy table stores a policy, which 
is a rule for applying a service to a packet. As shown 
in this figure, a policy includes a policy ID, a policy 
search key, an applied service type, service-specific 
information, priority, a group ID, an event flag, 
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consistency duration, and the number of policy hits. 

The policy ID is information for identifying a 
policy. The policy search key is information for 
determining a policy to be applied to a packet. The 
applied service type is a service applied to a packet 
based on a policy. The service-specific information is 
information specific to an applied service, similar to 
session data. The priority is a numeric value indicating 
the priority of a policy. The smaller the value of a 
priority, the more the corresponding policy is 
prioritized. The priority is used to determine which 
of policies is prioritized, when information within the 
header of a packet hits the policy search keys of the 
policies. The group ID is information for identifying 
a group to which a policy belongs. The event flag and 
the consistency duration are similar to those of session 
data. The number of policy hits stores the count value 
of sessions that hit the policy. 

Processes using the event flag, the consistency 
duration, the group ID, and the number of policy hits 
will be described later as examples of modifications. 

The operations of the packet relay processing 
apparatus according to the third preferred embodiment, 
which is shown in Fig. 13, are explained below with 
reference to Figs. 16 to 20. 



In the packer relay processing apparatus shown in 
Fig. 13, a packet input from the network first passes 
through the network connecting unit 30, and is 
transmitted to the packet processing unit 21. 

After the packet processing unit 21 buffers the 
input packet, calculates a checksum, and defragments 
the packet, it transmits the packet to the session 
managing unit 22. Then, the packet processing unit 21 
fragments the packet returned from the session managing 
unit 22, recalculates a checksum, and outputs the packet 
to the network via the network connecting unit 30. 

Fig. 16 is a flowchart showing the process 
performed by the session managing unit 22 according to 
this preferred embodiment. 

As shown in this figure, when a packet is input 
to the session managing unit 22, the session managing 
unit 22 searches the session table 22a' shown in Fig. 
14 for corresponding session data by using the 
information within the header of the packet (step S41) . 

In a similar manner as in the first preferred 
embodiment, the session table is searched by using as 
a session search key information such as source and 
destination IP addresses within an IP header of the 
packet, and a protocol and source and destination ports 
within a TCP header. 
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If corresponding session data whose session 
search key matches the information within the header 
of the packet is not registered to the session table 
22a' ("NO" in step S42) , this packet is the initial 
packet of a session. The session managing unit 22 
therefore searches the policy table 25 shown in Fig. 
15 for a policy by using the information within the 
header of the packet in order to determine a service 
to be applied to the session (step S43) . 

The policy table 25 stores a policy search key 
(destination and source addresses and ports, a protocol, 
etc. An arbitrary or a range specification may be made) , 
an applied service type ( filtering and discarding, load 
balancing, etc.), service-specific information (all of 
distribution destination addresses, etc.), and a 
priority in addition to routing information. 

If a policy of the policy table 25 matches the 
information within the header of the packet as a result 
of the search, this policy is written to the applied 
service type entry of the session table 22a' . That is, 
the session managing unit 22 obtains from the policy 
table 25 the policy having the policy search key that 
matches the information stored in the header of the 
packet. Then, the session managing unit 22 generates 
session data whose session search key is based on the 



35 



information within the header of the packet, and 
registers the generated session data to the session 
table 22a' . Besides, the session managing unit 22 
respectively writes the applied service type and the 
service-specific information, which are included in the 
policy, to the applied service type and the 
service-specific information entries of the registered 
session data (step S44) . 

If the information within the header of the packet 
matches a plurality of policies, the policies are 
processed in descending order of priorities within the 
policy table 25. If the information within the header 
of the packet matches a plurality of identical services, 
the service having the highest priority is adopted, and 
the remaining services are invalidated. 

Next, the process performed when a plurality of 
policies, which include policy search keys that match 
information stored in the header of a packet, exist at 
the time of searching the policy table 25 is explained 
more specifically. 

If applied service types included in the plurality 
of obtained policies do not conflict with one another, 
the session managing unit 22 writes the applied service 
types to the applied service type entry of the session 
data in ascending order of the values of the priorities 
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of the policies (namely, in descending order of the 
priorities) . As a result, the plurality of services are 
applied to the packet belonging to the session in 
descending order of the priorities. 
5 If the applied service types included in the 

plurality of obtained policies conflict with one another, 
the session managing unit 22 writes only the applied 
service type of the policy having the smallest priority 
value among the policies to the applied service type 
10 entry of the session data. As a result, only the service 

having the highest priority is applied to the packet. 

Next, explanation is provided by taking a specific 
example. Here, assume that the following six policies 
are obtained as policies having policy search keys that 
15 match information stored in the header of a packet. 

policy 1 : applied service = filtering and passing 

priority value = 10 
policy 2 : applied service = filtering and passing 
priority value = 100 
20 policy 3 : applied service = filtering and passing 

priority value = 200 
policy 4 : applied service = load balancing 

priority value = 1000 
policy 5 : applied service = load balancing 
25 priority value = 2000 
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policy 6 : applied service = load balancing 
priority value = 3000 
In this case, the filtering and passing, and the 
load balancing are applied service types that do not 
conflict with each other. Additionally, since all of 
the applied service types of the policies 1 through 3 
are filtering and passing, they conflict with one 
another. Similarly, all of the applied service types 
of the policies 4 through 6 are the load balancing, they 
also conflict with one another. The session managing 
unit 22 adopts the policy 1 having the smallest priority 
value among the policies whose applied service types 
are the filtering and passing, and the policy 4 having 
the smallest priority value among the policies whose 
applied service types are the load balancing . Then, the 
session managing unit 22 writes the filtering and 
passing, and the load balancing in this order to the 
applied service type entry of the session data, because 
the priority value of the policy 1 is smaller than that 
of the policy 4 . As a result, the load balancing service 
is applied to the packet after the filtering and passing. 

The process for the state transition of a session 
in steps S45 to S48, which is performed when the result 
of the search is "YES" in step S42, is similar to that 
explained in the first preferred embodiment. Namely, 
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if corresponding session data is registered to the 
session table 22a' , the session managing unit 22 
monitors the session state of the session table 22a' , 
and determines whether or not the state makes a 
transition (step S45) . If the session state makes a 
transition ("YES" in step S45), the session managing 
unit 22 rewrites the session state of the session table 
22a' (step S46) . After the state transition of the 
session terminates, the session managing unit 22 deletes 
the session data of this session from the session table 
22a' (step S48) . The processed packet is then 
transmitted to the process distributing unit 26 (step 
S49) . 

Fig. 17 is a flowchart showing the processes 
performed by the process distributing unit 26 and the 
service processing unit 27. 

The process distributing unit 26 and the service 
processing unit 27 determine a service to be applied 
to a packet, and performs processes required for each 
service . 

In Fig. 17, when a packet is input to the process 
distributing unit 26, the process distributing unit 26 
searches the session table 22a' for session data 
corresponding to the input packet by using the 
information within the header of the packet. If the 
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applied service type indicated by the session data which 
is obtained as a result of the search is a routing process 
(step S51} , the process distributing unit 26 distributes 
the packet to the service processing unit 27 which 
performs the routing process. 

If a routing destination is not registered to the 
entry of the session data, which corresponds to the input 
packet, a routing table is referenced, and an output 
destination interface and a destination MAC address are 
written to the session table 22a' . 

To be more specific, the process distributing unit 
2 6 determines whether or not the session data includes 
the routing destination (step S51) . If the session data 
does not include the routing destination ("YES" in step 
S51) , the service processing unit 27 to which the packet 
is distributed searches the routing table (not shown 
in Fig. 13) by using the destination IP address included 
in the session data, determines the output destination 
interface and the destination MAC address, which are 
obtained as a result of the search, as the routing 
destination (step S52) , and writes the determined 
routing destination to the session data (step S53) . 
Thereafter, packets of the session corresponding to the 
session data are transferred to the determined routing 
destination. Then, the process of the service processing 
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unit 26 proceeds to step S56. 

If the process distributing unit 26 determines 
that the input packet is a packet to which the load 
balancing service is to be applied, and the session data 
5 does not include a distribution destination server, 

namely, the distribution destination server has not been 
determined at the time of referencing the applied 
hi service type entry of the session data that is obtained 

as a result of searching the session table 22a' ("YES" 
ff 10 in step S56) , the process distributing unit 26 

distributes the packet to the service processing unit 
M; 27 that performs the load balancing process . The service 

jji processing unit 27 to which the packet is distributed 

JTj determines the distribution destination server (step 

15 S57), and writes the address of the determined 

distribution destination to the corresponding 
service-specific information entry of the session table 
22a' (step S58) . The process then proceeds to step S61. 

If the process distributing unit 26 determines 
20 that the input packet is a packet to which a filtering 

and discarding service is to be applied at the time of 
referencing the applied service type entry of the 
session data that is obtained as a result of searching 
the session table 22a' ("YES" in step S61) , the process 
25 distributing unit 26 distributes the packet to the 
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service processing unit 27 which performs the packet 
discarding process. The service processing unit 27 to 
which the packet is distributed discards the packet 
(step S62) , and terminates the process. If the result 
5 of the determination made in step S61 is "NO", the 

process proceeds to step S63. 
D If the process distributing unit 26 determines 

In that the input packet is a packet to which a load 

p balancing or a NAT service is to be applied at the time 

r~ 10 of referencing the applied service type entry of the 

JL session data that is obtained as a result of searching 

jr! the session table 22a' , it determines that the input 

packet is a packet whose header must be rewritten ("YES" 
ill in step S63) . The process distributing unit 26 

15 distributes the packet to the service processing unit 

27 which performs the header rewrite process. The 
service processing unit 27 to which the packet is 
distributed rewrites the source/destination IP address, 
the source/destination port, etc. within the IP header 
20 and the TCP header of the packet according to the session 

data stored in the session table 22a' (step S64), and 
terminates the process. If a plurality of applied 
services are stored in session data, they are applied 
to an input packet in an order where they are stored. 
25 As described above, according to this preferred 
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embodiment, the CPU use ratio of the server 11 can be 
reduced in a similar manner as in the first preferred 
embodiment, and the consistency of a session currently 
being continued can be maintained even if a routing table 
is changed during the session. 

Additionally, a process distributing unit 26 and 
a plurality of service processing units 27, which 
support a plurality of services, are arranged in the 
network connecting device 20 that can perform a process 
faster than the server 11. Consequently, the CPU use 
ratio of the server 11 can be reduced, and at the same 
time, a service process can be performed faster. 

Furthermore, according to this preferred 
embodiment, a plurality of service processing units 27 
are arranged in the network connecting device 20 
depending on services. As a result, a new service 
processing unit 27 which supports a necessary service 
is added to the network connecting device 20 if the new 
service becomes necessary, whereby flexible 
configuration that can support a new service is easily 
implemented. For example, if VPN (Virtual Private 
Network) encryption and decryption services become 
necessary, service processing units 27 that 
respectively apply VPN encryption and decryption 
services are newly added, thereby coping with an 
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addition of a new service. 

The header rewrite process is described in further 
detail below with reference to Fig. 18 . This figure shows 
the packet flow in the case where the network connecting 
device 20 applies a load balancing service in this 
preferred embodiment. Note that the packet flow shown 
in Fig. 18 corresponds to the session data whose session 
IDs are 2 and 3 within the session table 22a' shown in 
Fig. 14. Additionally, the orientations of arrows 
indicate the directions where a packet is transmitted. 

When a packet is transmitted from a client having 
an address 10.25.1.230 to a server having an address 
192.168.100.75, a packet PI whose header stores 
"destination address: 192.168.100.75, source address: 
10.25.1.230" is first transmitted from the client to 
the network connecting device 20 as indicated by an arrow 
Al . The session managing unit 22 within the network 
connecting device 20 searches the session table 22a' 
shown in Fig. 14 by using as a session search key the 
source address 10.25.1.230, the destination address 
192.168.100.75, etc., which are included in the packet 
PI, and obtains the session data whose session ID is 
3. 

Since the applied service type within the obtained 
session data is "header rewrite", the process 



distributing unit 2 6 within the network connecting 
device 20 distributes the packet to the service 
processing unit 27 which performs the header rewrite 
process. Since service-specific information within the 
session data is "destination address: 192.168.100.100", 
the service processing unit 27 to which the packet is 
distributed rewrites the destination address within the 
packet PI from "192.168.100.75" to "192.168.100.100". 
As a result, a packet P2 whose header stores "destination 
address: 192.168.100.100, source address: 10.25.1.230" 
is transmitted from the network connecting device 20 
to the distribution destination server having the 
address 192.168.100.100 as indicated by an arrow A2 . 

Inversely, if a packet is transmitted from the 
distribution destination server having the address 
192.168.100.100 to the client having the address 
10.25.1.230, a packet P3 whose header stores 
"destination address: 10.25.1.230, source address: 
192.168.100.100" is first transmitted from the 
distribution destination server to the network 
connecting device 20 as indicated by an arrow A3. The 
session managing unit 22 within the network connecting 
device 20 seaches the session table 22a' shown in Fig. 
14 by using as a session search key the source and the 
destination addresses included in the packet P3, and 
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obtains the session data whose session ID is 2. 

Because the applied service type entry within the 
obtained data indicates "header rewrite", the process 
distributing unit 2 6 within the network connecting 
device 20 distributes the packet to the service 
processing unit 27 which performs the header rewrite 
process. The service processing unit 27 to which the 
packet is distributed rewrites the source address within 
the packet from "192.168.100.100" to "192.168.100.75" 
based on service-specific information within the 
session data. As a result, a packet P4 whose header 
stores "destination address: 10.25.1.230, source 
address: 192.168.100.75" is transmitted from the 
network connecting device 20 to the client having the 
address 10.25.1.230. In this way, the network connecting 
device 20 can distribute the load on a destination server 
included in a packet by rewriting the header of the 
packet . 

Fig. 19 shows the configuration of a packet relay 
processing apparatus according to a fourth preferred 
embodiment of the present invention. According to this 
preferred embodiment, a server transfer capability is 
arranged in the process distributing unit 26, and an 
external service processing unit 15 is arranged in the 
server 11 in the above described packet relay processing 



apparatus according to the third preferred embodiment, 
so that a service process can be performed by both the 
network connecting device 20 and the server 11. If a 
service process is performed by the server 11 in this 
preferred embodiment, not only the contents of the 
service, but also a transfer to the server 11 is set 
in the policy in the policy table 25. The other 
operations are similar to those in the third preferred 
embodiment . 

As shown in Fig. 19, a plurality of external 
service processing units 15 can be arranged in the server 
11 depending on applied service types, similar to the 
service processing units 27 according to the third 
preferred embodiment . Therefore, similar to the service 
processing units 27 according to the third preferred 
embodiment, a new external service processing unit 15 
which supports a new service type is added to the server 
11 if the new service type becomes necessary, thereby 
easily coping with an addition of a new service. 

Since the configurations of the session table 22a' 
and the policy table 25 according to this preferred 
embodiment are almost similar to those in the third 
preferred embodiment, detailed explanations are 
omitted. A difference is that a transfer to the server 
11, and the contents of a service applied by the external 



service processing unit 15, can be set in the session 
table 22a' and the policy table 25 in addition to the 
contents of a service applied by the service processing 
unit 27, according to the fourth preferred embodiment. 

Fig. 20 is a flowchart showing the processes 
performed by the process distributing unit 26, the 
service processing unit 27, and the external service 
processing unit 15. In this figure, operations in steps 
S51 to S64 are the same as those in Fig. 17. By way of 
example, if "routing" is written to the applied service 
type entry, and a routing destination is not written 
in the session data corresponding to an input packet 
within the session table 22a' , the service processing 
unit 27 references the routing table within the policy 
table 25, and writes an output destination interface 
and a destination MAC address to the session data within 
the session table 22a' . 

As described above, if a "server transfer" is not 
set in the applied service type entry when referencing 
the applied service type within the session table 22a' , 
a process according to the applied service type is 
performed, and a header rewrite process is performed 
if a packet requires the header rewrite as explained 
with reference to Fig. 17. 

Additionally, according to this preferred 
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embodiment, some of service processes are performed by 
the external service processing unit 15 within the 
server 11. To implement this, the process distributing 
unit 26 performs the following operations in addition 
to the operations in steps S51 to S64 of Fig. 17. 

Namely, the process distributing unit 26 
references the applied service type entry of session 
data that is obtained as a result of searching the 
session table 22a' , and determines whether or not an 
input packet is a packet to be transferred to the server 
11 (step S71) . If "server transfer: ON" and an applied 
service type are set in the applied service type entry 
of the session data ("YES" in step S71) , the process 
distributing unit 26 distributes the packet to the 
service processing unit 27 which performs the process 
for attaching a header for a transfer. The service 
processing unit 27 to which the packet is distributed 
attaches the header for a transfer to the packet. 
Contents of the header for a transfer include, for 
example, an applied service type, a session ID, and an 
input interface of session data corresponding to a 
packet. Next, the service processing unit 27 transfers 
the packet to the external service processing unit 15 
within the server 11 via the packet communicating unit 
33 (step S72) . The external service processing unit 15 
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which supports the applied service type processes the 
received packet (step S73) . 

The process flow of the external service 
processing unit 15 is similar to that shown in Fig. 17. 
For example, if a routing destination has not been 
determined yet within the session data, the external 
service processing unit 15 determines the routing 
destination, and writes an output destination interface 
and a destination MAC address to the session table 22a' . 

If an input packet is a packet to which a load 
balancing service is to be applied and its distribution 
destination has not been determined yet within the 
session data, the external service processing unit 15 
determines a distribution destination server, and 
writes the determined distribution destination sever 
to the service-specific information entry of 
corresponding session data within the session table 22a' . 
If the input packet is a packet to which a filtering 
and discarding service is to be applied, the external 
service processing unit 15 discards the packet. 

Or, if the input packet is a packet to which a load 
balancing or a NAT service is to be applied, the external 
service processing unit 15 rewrites the 
source/destination IP address, the source/destination 
port, etc. within the IP and the TCP headers of the packet 
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according to the session data within the session table 
22a' . 

The above provided explanation refers to the case 
where the external service processing unit 15 applies 
the same service as that applied by the network 
connecting device 20. However, the external service 
processing unit 15 may perform service processes such 
as encryption, decryption, a proxy process, contents 
translation, protocol conversion, etc., which are not 
performed by the network connecting device 20. 

As described above, according to this preferred 
embodiment, the packet relay processing capability 
based on session management is arranged in the network 
connecting device 20, so that the capability that is 
conventionally arranged in a server is implemented by 
the network connecting device 20. Conseguent ly, the CPU 
use ratio of the server 11 can be reduced in a similar 
manner as in the first preferred embodiment. 
Additionally, similar to the first preferred embodiment, 
the consistency of a session currently being continued 
can be maintained, even if a routing table is changed 
during the session. Furthermore, the capability for 
transferring a packet to the server is arranged in the 
process distributing unit 26, and the external service 
processing unit 15 is arranged in the server 11, so that 
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a service process can be performed by both the network 
connecting device 20 and the server 11. As a result, 
a service process that is difficult to be implemented 
by the network connecting device 20 can be performed 
by the server 11, thereby coping with also the case where 
a network service requires a complex process. 

A fifth preferred embodiment is described next. 
Fig. 21 shows the configuration of a packer relay 
processing apparatus according to the fifth preferred 
embodiment of the present invention. As shown in Fig. 
21, the packet relay processing apparatus according to 
this preferred embodiment further comprises a packet 
details analyzing unit 16 in the server 11 that 
configures the packet relay processing apparatus 
according to the third preferred embodiment. With this 
configuration, a process distributing unit 26 within 
a network connecting device 20 transfers a packet to 
the server 11 depending on a given condition, and the 
packet details analyzing unit 16 within the server 11 
analyzes the packet, determines a service, and sets the 
contents of the determined service in the network 
connecting device 20. Once the contents of the 
determined service are set, the network connecting 
device 20 performs a relay process based on the contents 
of the determined service for the same session. 
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In Fig. 21, the server 11 comprises a service 
controlling unit 14 in a similar manner as in the third 
and the fourth preferred embodiments. The service 
controlling unit 14 writes a policy to the policy table 
25 within the network connecting device 2 0 via the 
control information communicating unit 31 as described 
above. The service controlling unit 14 also writes a 
policy to a policy table for details analysis (not shown 
in Fig. 21) that the server 11 comprises. 

The server 11 further comprises the packet details 
analyzing unit 16. The packet details analyzing unit 
16 analyzes a packet and determines a service for a 
session including the packet based on the session table 
for details analysis and the policy table for details 
analysis, which are not shown, and resets session data 
stored within the session table 22a' of the network 
connecting device 20 based on the contents of the 
determined service. After the session data is reset, 
the network connecting device 20 performs a relay 
process based on the contents of the service set in the 
session data. Data configurations of the session table 
for details analysis and the policy table for details 
analysis will be described later. 

Similar to the service processing units 27 and the 
external service processing units 15 in the third and 
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the fourth preferred embodiments, a plurality of packet 
details analyzing units 16 can be arranged in the server 
11 depending on applied service types. Accordingly, a 
new packet details analyzing unit 16 which supports a 
new service type is added to the server 11 if the new 
service type becomes necessary, thereby easily coping 
with an addition of a new service. 

The network connecting device 2 0 according to this 
preferred embodiment comprises a packet processing unit 
21, a session managing unit 22, a session table 22a', 
a policy table 25, a process distributing unit 26, and 
service processing units 27, similar to the network 
connecting device 20 according to the third preferred 
embodiment. Furthermore, the process distributing unit 

26 comprises the capability for transferring a packet 
to the server. 

The processes performed by the packet processing 
unit 21, the session managing unit 22, the process 
distributing unit 26, and the service processing unit 

27 are similar to those in the third preferred embodiment . 
Since the data configuration of the policy table 25 
according to this preferred embodiment is similar to 
that in the third preferred embodiment, its explanation 
is omitted here. The data configuration of the session 
table 22a' according to this preferred embodiment will 
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be described later. 

Furthermore, in this preferred embodiment, a 
range in which a service is to be applied to a packet 
transferred to the packet details analyzing unit 16 (for 
example, http indicates a range of a packet to which 
a URL filtering service is to be applied) is preset by 
the server 11 in the applied service type entry within 
the policy table 25. The process distributing unit 26 
determines a packet to be transferred to the server 11 
by referencing the policy table 25 in a similar manner 
as in the fourth preferred embodiment, attaches 
information indicating an applied service type to the 
header of the packet, and transfers the packet to the 
packet details analyzing unit 16 within the server 11 
via the packet communicating unit 33. 

The data configurations of the tables according 
to this preferred embodiment are described below with 
reference to Figs. 22 to 27. Firstly, the session table 
22a' according to this preferred embodiment is explained 
with reference to Figs. 22 to 25. As shown in Figs. 22 
to 25, entries included in session data stored in the 
session table 22a' are similar to those in the session 
table 22a' shown in Fig. 14. According to this preferred 
embodiment, however, after session data is registered 
to the session table 22a', the packet details analyzing 
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unit 16 analyzes a packet, and resets the session data 
within the session table 22a' based on an analysis 
result . 

Figs. 22 and 23 exemplify the session table 22a' 
when the session managing unit 22 registers session data 
based on the policy table 25. As shown in these figures, 
"server transfer: ON" is stored in the applied service 
type entry of each session data, since the packet details 
analyzing unit 16 has not yet made an analysis. 
Accordingly, a packet of a session corresponding to each 
session data is transferred to the server 11. 

Figs. 24 and 25 exemplify the session table 22a' 
after the packet details analyzing unit 16 resets 
session data based on an analysis result of a packet. 
As shown in these figures, "server transfer: OFF" is 
stored in the applied service type entry of each session 
data, since the packet details analyzing unit 16 has 
made an analysis. Accordingly, a packet of a session 
corresponding to each session data is not transferred 
to the server 11 thereafter. 

Since the session data has been reset by the packet 
details analyzing unit 16, the following differences 
further exist between the session table 22a' shown in 
Figs. 22 and 23 and that shown in Figs. 24 and 25. 

As shown in Figs. 22, "URL filtering" is stored 



in the applied service type entry of session data whose 
session IDs are 0 and 1. In the meantime, "filtering 
and passing" is stored in the same entry of the session 
data whose session IDs are the same, which are shown 
in Fig. 24, since it has been determined that a packet 
is made to pass through as a result of the analysis of 
the packet, which is made by the packet details analyzing 
unit 16. 

As shown in Fig. 22, "URL load balancing" is stored 
in the applied service type entry of session data whose 
session IDs are 2 to 5, but information about a 
distribution destination server is not stored in the 
service-specific information entry. In the meantime, 
since a distribution destination server has been 
determined as a result of the analysis of the packet, 
which is made by the packet details analyzing unit 16, 
the session data whose session IDs are 3 and 4 are deleted, 
"header rewrite" is stored in the applied service type 
entry of the session data whose session IDs are 2 and 
5, and the information about the distribution 
destination server is stored in the service-specific 
information entry as shown in Fig. 24. 

As shown in Fig. 23, "FTP (File Transfer Protocol) 
filtering" is stored in the applied service type entry 
of session data whose session IDs are 6 and 7 . Thereafter, 



57 



it has been determined that the packet of each of the 
sessions is made to pass through as a result of the 
analysis of the packet, which is made by the packet 
details analyzing unit 16. Accordingly, session data 
for data connections, whose session IDs are 8 and 9, 
are newly registered in addition to the session data 
for control connections, whose session IDs are 6 and 
7, and "filtering and passing" is stored in the applied 
service type entry of the session data having the session 
IDs 8 and 9, as shown in Fig. 25. 

Next, the tables comprised by the packet details 
analyzing unit 16 are described with reference to Figs. 
26 and 27 . The packet details analyzing unit 16 comprises 
a session table for details analysis, and a policy table 
for details analysis in order to analyze a packet. 

Fig. 26 exemplifies the session table for details 
analysis. The session table for details analysis, which 
is shown in Fig. 26, corresponds to the session table 
22a' shown in Figs. 22 and 23. As shown in Fig. 26, 
session data stored in the session table for details 
analysis includes as entries a session ID, a session 
search key, a session state, an associated session, and 
an applied service type. The entries except for the 
associated session are similar to those of the session 
data stored in the session table 22a' . The associated 
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session is a session ID of a session that is determined 
to be associated as a result of a packet analysis made 
by the packet details analyzing unit 16. Session data 
within the session table for details analysis is 
registered by the packet details analyzing unit 16 at 
the time of a details analysis based on the session data 
stored in the session table 22a' , and deleted by the 
packet details analyzing unit 16 upon termination of 
the details analysis. 

Fig. 27 exemplifies the configuration of the 
policy table for details analysis. The policy table for 
details analysis, which is shown in Fig. 27, stores a 
policy that includes further details than those in the 
policy table 25 shown in Fig. 15. By way of example, 
for the URL filtering, a table for URL filtering, which 
indicates whether to pass or to discard a packet for 
each URL, is arranged in the policy table for details 
analysis. Additionally, for the FTP filtering, a table 
for FTP filtering, which indicates whether a packet is 
either passed or discarded for each IP address and port 
number, is arranged. Furthermore, for the URL load 
balancing, a table for URL load balancing, which 
indicates an IP address being a candidate of a 
distribution destination server, and a distribution 
method, etc. for each URL, is arranged. Note that the 
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session table for details analysis, which is shown in 
Fig. 26, corresponds to the session table 22a' shown 
in Figs. 22 to 25. 

The concept of the operations of the packet relay 
processing apparatus according to the fifth preferred 
embodiment is described below with reference to Fig. 
28. In this figure, solid line arrows indicate the 
directions where a packet proceeds, whereas broken line 
arrows indicate data read/write operations from/ to the 
tables . 

Firstly, the service controlling unit 14 within 
the server 11 writes a policy to the policy table 25 
within the network connecting device 20, and the policy 
table for details analysis within the packet details 
analyzing unit 16 via the control information 
communicating unit 31 (arrow All) . 

When a packet is input to the network connecting 
device 20, the session managing unit references the 
policy table 25 by using the information stored in the 
header of the packet, obtains a policy whose policy 
search key matches the information within the header, 
generates session data based on the policy, and stores 
the session data in the session table 22a' (arrow A12) . 

If "server transfer: ON" is stored in the applied 
service type entry of the session data, the process 
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distributing unit 26 transfers the packet to the packet 
details analyzing unit 16 via the packet communicating 
unit 33. The packet details analyzing unit 16 analyzes 
the packet by using the policy table for details analysis 
and the session table for details analysis (arrow A13) . 
The packet details analyzing unit 16 resets the session 
data stored in the session table 22a' within the network 
connecting device 20 based on an analysis result of the 
packet (arrow A14) . Once the packet is analyzed, 
subsequent packets of the session corresponding to the 
reset session data, which is input to the network 
connecting device 20 are processed by the service 
processing unit 27 without being analyzed by the packet 
details analyzing unit 16, and output from the network 
connecting device 20 (arrow A15) . 

The operations of the packet relay processing 
apparatus according to the fifth preferred embodiment 
are described below. Since the processes performed by 
the packet processing unit 21 and the session managing 
unit 22 are similar to those in the first to the fourth 
preferred embodiments, their explanations are omitted 
here. Hereinafter, the processes performed by the 
process distributing unit 26, the service processing 
unit 27, and the packet details analyzing unit 16 are 
explained with an emphasis placed. 
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Fig. 29 is a flowchart showing the processes 
performed by the process distributing unit 26 and the 
service processing unit 27. Among the operations shown 
in Fig. 29, the operations up to the header rewrite 
process (step S64) are the same as those in Fig. 20. 
According to the fifth preferred embodiment, the process 
distributing unit 2 6 determines whether or not an input 
packet is a packet to be transferred to the server 11 
based on an applied service type included in session 
data (step S81) . If "server transfer: ON" and an applied 
service type are set in the applied service type entry, 
the process distributing unit 26 determines that the 
packet is a packet to be transferred to the server 11 
("YES" in step S81) , and distributes the packet to the 
service processing unit 27 which performs the process 
for attaching a header for a transfer to a packet. The 
service processing unit 27 to which the packet is 
distributed attaches the header for a transfer to the 
packet. Contents of the header for a transfer are similar 
to those in the fourth preferred embodiment. The packet 
to which the header for a transfer is attached is 
transferred to the packet details analyzing unit 16 
within the server 11 via the packet communicating unit 
33 (step S82) . The packet details analyzing unit 16 
analyzes the received packet, and resets the session 
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data stored in the session table 22a' via the control 
information communicating unit 31 based on an analysis 
result (step S83) . 

Fig. 30 is a flowchart showing the process 
performed by the packet details analyzing unit 16. The 
process shown in Fig. 30 corresponds to step S83 of Fig. 
29 . This preferred embodiment exemplifies the case where 
the URL filtering, the URL load balancing, and the FTP 
filtering services are applied by using the packet 
details analyzing unit 16. 

Firstly, the URL filtering service is explained. 
The service controlling unit 14 within the server 
11 presets a policy which "transfers a packet to the 
packet details analyzing unit 16, and performs URL 
filtering" in the policy table 25 via the control 
information communicating unit 31. 

The packet details analyzing unit 16 determines 
that the packet is a packet to which the URL filtering 
service is to be applied based on the applied service 
type "URL filtering" included in the header for a 
transfer of the received packet. The packet details 
analyzing unit 16 then generates session data based on 
the information included in the received packet, and 
stores the generated session data in the session table 
for details analysis ( "YES" in step S91) . Thereafter, 
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the packet details analyzing unit 17 manages the state 
of the session, and outputs a received packet unchanged 
to the network until receiving an HTTP GET request. 

When the HTTP GET request is received after the 
session state makes a transition to ESTAB ("YES" in step 
S92), the packet details analyzing unit 16 determines 
the URL, and determines whether to pass or to discard 
the packet. Namely, the packet details analyzing unit 
16 determines whether to pass or to discard the packet 
by referencing a preset table for URL filtering, which 
is included in the policy table for details analysis 
(step S93) . 

If the packet details analyzing unit 16 determines 
to discard the packet ("YES" in step S93), it discards 
the packet of the session (step S103) . Furthermore, the 
packet details analyzing unit 16 references the session 
table 22a' by using the session ID included in the packet, 
and rewrites the applied service type entry of the 
session data corresponding to the session ID from 
"server transfer: ON, URL filtering" to "server 
transfer: OFF, discarding" (not shown) . 

If the packet details analyzing unit 16 determines 
to pass the packet ("NO" in step S93) , it references 
the session table 22a' , and rewrites the applied service 
type entry of the session data corresponding to the 
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session ID included in the packet from "server transfer 
ON, URL filtering" to "server transfer: OFF, filtering 
and passing" (step S94) . The session data whose session 
IDs are 0 and 1 in the session table 22a' shown in Figs. 
22 and 24 exemplify session data before and after a 
packet is analyzed in the case of the URL filtering. 

After resetting the session data within the 
session table 22a', the packet details analyzing unit 
16 deletes the session data corresponding to the session 
ID from the session table for details analysis (not 
shown) . 

As described above, if the packet details 
analyzing unit 16 resets the applied service type of 
session data within the session table 22a' of the network 
connecting device 20 from "server transfer: ON, URL 
filtering" to "server transfer: OFF, filtering and 
passing" or "server transfer: OFF, discarding", the 
network connecting device 20 processes subsequent 
packets according to the above described passage 
condition. Namely, the network connecting device 20 
passes or discards a packet without transferring the 
packet to the packet details analyzing unit 16 within 
the server 11. 

Fig. 31 explains the operations of the above 
described URL filtering service. 
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SYN, SYN_ACK, and ACK packets are exchanged 
between a client and a server. Until the session makes 
a transition to the ESTAB state, these packets are 
transferred from the network connecting device 20 to 
the packet details analyzing unit 16, which manages the 
state of the session. Namely, the process is performed 
by the network connecting device 20 and the server 11. 

Upon receipt of a packet, to which a URL is 
attached, like an HTTP GET request 

GET"http: //www. xxx.co.jp" after the session makes a 
transition to the ESTAB state, the packet details 
analyzing unit 16 within the server 11 determines 
whether to pass or to discard the above described 
packet by referencing the table for URL filtering, which 
is included in the policy table for details analysis, 
and rewrites the applied service type entry of the 
session table 22a' to "discarding" or "passing" based 
on a determination result. 

Thereafter, the network connecting device 20 
passes or discards packets of the session according to 
the applied service type set in the session table 22a 1 
until the session terminates. Namely, the process is 
performed by the network connecting device 20. 

Next, the URL load balancing service is described 
by turning back to Fig. 30. 



With the URL load balancing, for example, after 
a client accesses a certain representative server, 
another server connected to the representative server 
is determined as a distribution destination server based 
on a URL, and a session is distributed to the 
distribution destination server, so that the load can 
be distributed to a plurality of distribution 
destination servers. 

When the URL load balancing is made, the service 
controlling unit 14 within the server 11 first sets a 
policy which "transfers a packet to the packet details 
analyzing unit 16, and makes URL load balancing" in the 
applied service type entry of the policy table 25 via 
the control information communicating unit 31. 

According to the set condition, the process 
distributing unit 26 within the network connecting 
device 20 transfers a corresponding packet to the packet 
details analyzing unit 16 within the server 11. 

The packet details analyzing unit 16 determines 
that the packet is a packet to which the URL load 
balancing service is to be applied based on the applied 
service type "URL load balancing" included in the 
received packet. The packet details analyzing unit 16 
generates session data based on the information included 
in the received packet, and stores the generated data 
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in the session table for details analysis in a similar 
manner as in the case of the URL filtering. Furthermore, 
the packet details analyzing unit 16 makes a reply 
instead of a distribution destination server based on 
the source address, the destination address, the port 
numbers, etc., which are included in the header of the 
packet, registers session data associated with each 
another in the session table for detailed analysis, and 
stores the session IDs of the associated session data 
in an associated session entry of the session data ( "YES" 
in step S95) . 

In the session table for details analysis shown 
in Fig. 26, the session data whose session IDs are 2 
to 5 are examples of session data in the case of the 
URL load balancing. In this figure, the session data 
whose session ID is 2 is associated with the session 
data whose session ID is 4 each other, and the session 
data whose session ID is 3 is associated with the session 
data whose session ID is 5 each other. 

The packet details analyzing unit 16 establishes 
a connection between the client and the server 11, and 
manages the state of the session thereafter. 
Additionally, the packet details analyzing unit 16 has 
a capability for terminating a TCP (Transmission Control 
Protocol) session, and makes a reply to the client 
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instead of a distribution destination server until the 
distribution destination server is determined. When the 
packet details analyzing unit 16 receives an HTTP GET 
request after the session makes a transition to the ESTAB 
state ( "YES" in step S96) , it determines a distribution 
destination server by referencing a preset table for 
URL load balancing, which is included in the policy table 
for details analysis, by using the URL included in the 
packet (step S97) . Thereafter, the server 11 establishes 
a connection to the distribution destination server by 
exchanging SYN, SYN_ACK, and ACK packets. 

Additionally, the packet details analyzing unit 
16 references the session table 22a' within the network 
connecting device 20, and obtains session data 
corresponding to the session ID included in the packet. 
The packet details analyzing unit 16 then rewrites the 
applied service type included in the obtained session 
data from "server transfer: ON, URL load balancing" to 
"server transfer: OFF, header rewrite". Furthermore, 
the packet details analyzing unit 16 sets the IP address : 
port number, a sequence number difference, and an ACK 
number difference in a service-specific information 
entry of the session data according to the IP address, 
etc. of the determined distribution destination server 
(step S98) . As a result, the two pieces of session data 
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that are determined to be associated with each other 
can be merged into one piece of session data, whereby 
the two connections can be handled as one connection. 
Then, the packet details analyzing unit 16 deletes the 
remaining two pieces of data which become unnecessary 
among the four pieces of session data from the session 
table 22a' . 

After resetting the session data within the 
session table 22a' , the packet details analyzing unit 
16 deletes the session data corresponding to the session 
IDs from the session table for details analysis (not 
shown) . The server 11 then transmits an HTTP GET request 
to the distribution destination server. 

The session data whose session IDs are 2 to 5 
within the session table 22a' shown in Figs. 22 and 24 
are examples of session data before and after packets 
are analyzed in the case of the URL load balancing. Two 
connections indicated by the two pieces of session data 
whose session IDs are 2 and 4 in Fig. 22 are merged into 
one connection indicated by the session data whose 
session ID is 2 in Fig. 24. Similarly, two connections 
indicatedby the two pieces of session data whose session 
IDs are 3 and 5 in Fig. 22 are merged into one connection 
indicated by the session data whose session ID is 5 in 
Fig. 24. 
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Once a packet is analyzed, subsequent packets of 
the session are not transmitted to the packet details 
analyzing unit 16. After the service processing unit 
27 that performs the header rewrite process within the 
network connecting device 20 rewrites the IP address: 
port number, the sequence number, and the ACK number 
within the packet based on the service-specific 
information within the session data stored in the 
session table 22a' , it outputs the packet to the network. 

Fig. 32 explains the operations of the above 
described URL load balancing service. 

As shown in this figure, SYN, SYN_ACK, and ACK 
packets are exchanged between a client and a packet relay 
processing apparatus. Upon receipt of an HTTP GET 
request after the session makes a transition to the ESTAB 
state, the packet details analyzing unit 16 determines 
the URL of the GET request, and determines a distribution 
destination server. 

Then, SYN, SYN_ACK, and ACK packets are exchanged 
between the packet relay processing apparatus and the 
distribution destination server in a similar manner as 
described above, and the HTTP GET request is transmitted 
to the distribution destination server. Up to this 
operation, the process is performed by the network 
connecting device 20 and the server 11. 



Until the session terminates after the packet 
relay processing apparatus transmits the HTTP GET 
request to the distribution destination server, the 
network connecting device 20 performs a relay process 
between the client and the distribution destination 
server based on the session data stored in the session 
table 22a' . 

Next, the FTP filtering service is described by 
turning back to Fig. 30. The FTP is composed of a 
plurality of TCP connections such as a control 
connection for performing control, and one or more data 
connections for transferring data. 

The service controlling unit 14 within the server 
11 presets a policy which "transfers a packet to the 
packet details analyzing unit 16, and performs FTP 
filtering" in the policy table 25 via the control 
information communicating unit 31. 

The process distributing unit 26 within the 
network connecting device 20 transfers a corresponding 
packet to the details analyzing unit 16 according to 
the preset condition. In a similar manner as in the case 
of the URL filtering, the packet details analyzing unit 
16 determines that the packet is a packet to which the 
FTP filtering service is to be applied based on the 
applied service type included in the received packet, 
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and stores session data in the session table for details 
analysis ("YES" in step S99) . Then, the packet details 
analyzing unit 16 manages the state of the session, and 
outputs the received packet to the network unchanged. 

Upon receipt of an ACK packet being an FTP PORT 
or PASV command ("YES" in step S100) after the session 
makes a transition to the ESTAB state, the packet details 
analyzing unit 16 determines the IP address and port 
number included in the packet, and determines whether 
to pass or to discard the packet of this session based 
on a determination result (step S101) . 

Namely, the packet details analyzing unit 16 
references a preset table for FTP filtering within the 
policy table for details analysis by using the IP address 
and port, and determines whether to pass or to discard 
the packet of the session. If the packet details 
analyzing unit 16 determines to discard the packet 
("YES" in step S101), it obtains the session data 
corresponding to the session ID included in the header 
for a transfer of the packet from the session table 22a 1 , 
sets "discarding" in the applied service type entry of 
the session data, and discards the packet (step S103) . 

Or, if the packet details analyzing unit 16 
determines to pass the packet ("NO" in step S101) , it 
registers the session data of the data connection to 



the session table 22a' based on the IP address and port 
number, which are described in the data portion of the 
above described ACK packet being the PORT or the PASV 
command, and sets "filtering and passing" in the applied 
service type entry of the session data (step S102) . 

If the packet details analyzing unit 16 resets the 
session data within the session table 22a' as described 
above, the network connecting device 20 processes 
subsequent packets of the data connection according to 
the above described passage condition. Namely, the 
packets of the data connection are passed or discarded 
without being transferred to the packet details 
analyzing unit 16 within the server 11. 

Fig. 33 explains the operations of the above 
described FTP filtering service. Until a session makes 
a transition to the ESTAB state after SYN, SYN_ACK, and 
ACK packets are exchanged between a client and the server 
11, and packets are transferred to the above described 
packet details analyzing unit 16. Namely, the process 
is performed by the network connecting device 20 and 
the server 11. 

Upon receipt of an ACK packet (to which IP address 
and port number are attached) being an FTP PORT or PASV 
command, the packet details analyzing unit 16 references 
the policy table for details analysis by using the IP 



address and port number, which are included in the packet, 
and determines whether to discard or to pass the packet . 
If the packet details analyzing unit 16 determines to 
discard the packet, it resets the applied service type 
entry in the session data within the session table 22a' 
to "discarding". Or, if the packet details analyzing 
unit 16 determines to pass the packet, it registers the 
session data of the data connection in the session table 
22a' , and sets the applied service type entry of the 
session data of the data connection to "passing". 
Thereafter, the network connecting device 20 discards 
a packet, or passes a packet of the data connection 
packet . 

Lastly, when the packet relay processing 
apparatus receives a FIN packet of the control 
connection from the client, this packet is transferred 
from the network connecting device 2 0 to the session 
details analyzing unit 16 within the server 11 via the 
packet communicating unit 33. The server 11 performs 
a closing process of the session via the packet details 
analyzing unit 16. Furthermore, the packet details 
analyzing unit 16 deletes the session data of the closed 
session based on the session ID included in the header 
for a transfer within the packet. 

The packet flows in the fifth preferred embodiment 



are explained below with reference to Figs. 34 and 35 
by taking the case of the URL load balancing service. 
Note that these figures correspond to the session data 
whose session IDs are 2 to 5, which are stored in the 
session tables shown in Figs. 22, 24, and 26. Fig. 34 
shows the packet flow before the packet details 
analyzing unit 16 resets session data. 

Before the session data are reset, a packet Pll 
whose header stores "destination address :port 
number=192.168.200.1:http, source address :port 

number=192.168.30.30:11950" is transmitted from a 
client having an address :port number 

192.168.30.30:11950 to the network connecting device 
20. The session managing unit 22 within the network 
connecting device 20 references the policy table 25, 
obtains a policy whose policy search key matches the 
information within the header, generates session data 
whose session ID is 2 based on the obtained policy, and 
stores the generated session data in the session table 
22a' . 

Since the applied service type within the session 
data is "server transfer: ON, URL load balancing", the 
process distributing unit 26 within the network 
connecting device 20 distributes the packet to the 
service processing unit 27 which performs a server 



transfer process. After the service processing unit 27 
to which the packet is distributed attaches a header 
for a transfer to the packet, the packet is transferred 
to the server 11 as indicated by an arrow A22 . The packet 
details analyzing unit 16 within the server 11 registers 
the session data to the session table for details 
analysis based on the information included in the 
transferred packet. 

Similarly, the session managing unit 22 stores 
session data whose session IDs are 3, 4, and 5 in the 
session table 22a' when the server 11 and the 
distribution destination server output packets P12, P13, 
and P14 via paths indicated by arrows A23 to A28, and 
the packet details analyzing unit 16 stores the 
corresponding session data in the session table for 
details analysis. 

Until receiving the HTTP GET request after 
registering the session data in the session table, the 
packet details analyzing unit 16 manages the state of 
each of the sessions, and outputs the received packet 
to the network based on the packet flow shown in Fig. 
34 . 

Upon receipt of the HTTP GET request after the 
session state makes a transition to ESTAB, the packet 
details analyzing unit 16 analyzes the packet, and 



resets the session data stored in the session table 22a' 
based on an analysis result . The session data after being 
reset are shown in Fig. 24. 

Fig. 35 shows the packet flow after the packet 
details analyzing unit 16 resets the session data. After 
the session data are reset, a packet 14 whose header 
stores "destination address :port number 

192.168.200.1:3333, source address :port number 
192.168.200.10:8080" is transmitted from the 
distribution destination server to the network 
connecting device 20 as indicated by an arrow A31. The 
process distributing unit 26 within the network 
connecting device 20 references the session table 22a' 
by using the information included in the header of the 
packet, obtains session data whose session ID is 5, and 
distributes the packet to the service processing unit 
27 which performs a header rewrite process based on the 
session data. The service processing unit 27 generates 
a packet P12 by rewriting the destination address and 
port number within the header of the packet to 
"192.168.30.30:11950", and the source address and port 
number to "192 . 168 .200. 1 :http" based on the session data 
Then, the network connecting device 20 outputs the 
packet P12 to the client. 

Similarly, as indicated by an arrow A33, a packet 
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Pll whose header stores "destination address :port 
number=192 . 168 .200 . 1 :http, source address :port 

number=192 . 168 . 30 . 30 : 11950" is transmitted from the 
client having the address: port number 

192.168.30.30:11950 to the network connecting device 
20. The process distributing unit 26 within the network 
connecting device 20 references the session table 22a' 
by using the information included in the header of the 
packet, and obtains session data whose session ID is 
2. Since "server transfer: OFF, header rewrite" is 
stored in the applied service type entry of the obtained 
session data in this example, the process distributing 
unit 26 distributes the packet to the service processing 
unit 27 which performs a header rewrite process. The 
service processing unit 27 generates a packet P13 by 
rewriting the destination address and port number within 
the header of the packet to the address and port number 
"192.168.200.10:8080" of the distribution destination 
server. Then, the network connecting device 2 0 outputs 
the packet P13 to the distribution destination server 
as indicated by an arrow 
A34. 

As described above, after the session details 
analyzing unit 16 rewrites the session data based on 
the analysis result of the packet, the network 
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connecting device 20 performs a packet relay process 
not via the server 11. 

As stated earlier, in this preferred embodiment, 
the packet relay processing capability based on session 
management is arranged in the network connecting device 
20, and the capability that is conventionally arranged 
in a server is implemented by the network connecting 
device 20, thereby reducing the CPU use ratio of the 
server 11 in a similar manner as in the first preferred 
embodiment. Additionally, the consistency of a session 
currently being continued can be maintained, even if 
a routing table is changed during the session, in a 
similar fashion as in the first preferred embodiment. 

Furthermore, according to the fifth preferred 
embodiment, the packet details analyzing unit 16 within 
the server 11 analyzes a packet, determines a service, 
and sets the contents of the determined service in the 
network connecting device 20, so that the network 
connecting device 20 performs a relay process for the 
same session based on the contents of the determined 
service thereafter. Accordingly, a service process can 
be performed faster than in the case where the server 
11 performs all of processes. 

Next, modifications of the preferred embodiments 
are described. 
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By applying a first modification to the first to 
the fifth preferred embodiments, session data may be 
deleted from the session table 22a' not immediately 
after the session terminates, but after a predetermined 
time period elapses. 

To implement this, the policies in the policy 
table 25 and session data in the session table 22a' 
further include a consistency duration as an entry as 
shown in Figs. 14 and 15, and 22 to 25. The process 
performed by the packet relay processing apparatus 
according to the first modification is explained. In 
the first modification, part of the process performed 
by the session managing unit 22 differs from that in 
the first to the fifth preferred embodiments. The 
process performed by the session managing unit 22 in 
the case where the first modification is applied is 
described with reference to Fig. 6. 

If the session managing unit 22 determines that 
a certain session is closed in step S17 of Fig. 6 ("YES" 
in step S17) , it sets a timer. The process of the session 
managing unit 22 proceeds to step S18 of Fig. 6 after 
waiting for the consistency duration included in the 
session data, and deletes the corresponding session data 
from the session table 22a' . 

As a result, if a session is reestablished until 
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a consistency duration elapses from the termination of 
the session, the session managing unit 22 can handle 
the session as a session identical to the previously 
terminated session if the session search key does not 
change. For example, in the load balancing service, a 
packet can be distributed to the same distribution 
destination server both in a terminated session and a 
reestablished session. Conseguently, a search in the 
policy table 25, which is made by the session managing 
unit 22, and a packet transfer to the server 11, which 
is made by the process distributing unit 26, can be 
omitted, thereby processing a packet at high speed. 

Next, a second modification is explained. By 
applying the second modification to the third to the 
fifth preferred embodiments, a policy applied to a 
session may be easily turned on/off. To implement this, 
according to the second modification, a plurality of 
policies are divided into groups. Furthermore, a policy 
stored in the policy table 25 further includes as an 
entry a group ID for identifying a group to which the 
policy belongs as shown in Fig. 15, and the network 
connecting device 2 0 further comprises a flag table 
shown in Fig. 36. 

The data configuration of the flag table is 
described below with reference to Fig. 36. As shown in 
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this figure, the flag table stores a flag indicating 
whether a policy is either valid or invalid for each 
group ID. Fig. 3 6 shows an example where a policy is 
invalid if the flag is OFF (0), and valid if the flag 
is ON (1) . 

The process performed by the packet relay 
processing apparatus according to the second 
modification is explained below. In the second 
modification, part of the process performed by the 
session managing unit 22 differs from that in the third 
to the fifth preferred embodiments. A point, which is 
changed by applying the second modification to the 
preferred embodiments, in the process performed by the 
session managing unit 22 is described in detail with 
reference to Fig. 16 that shows the process performed 
by the session managing unit 22 according to the third 
preferred embodiment as an example. 

In the second modification, the session managing 
unit 22 further performs the following operations 
between steps S43 and S44 of Fig. 16. Firstly, in step 
S43, the session managing unit 22 searches the policy 
table 25, and obtains a policy having a policy search 
key that matches information stored in the header of 
a packet. The session managing unit 22 references the 
flag table by using the group ID included in the obtained 
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policy, and determines whether the flag corresponding 
to the group ID is either ON or OFF. 

If the flag is OFF as a result of the determination, 
the session managing unit 22 does not adopt the policy. 
If the flag is ON, the session managing unit 22 adopts 
the policy. The session managing unit 22 generates 
session data based on the policy in step S44, and stores 
the generated session data in the session table 22a' . 
In this way, a policy to be adopted can be turned on/off 
for each group. 

For example, if a plurality of normal policies and 
a plurality of exceptional policies are generated, a 
normal group composed of normal policies and an 
exceptional group composed of exceptional policies are 
predefined, and both the normal and the exceptional 
policies are registered to the policy table 25, 
according to the second modification. Furthermore, a 
flag corresponding to a group that a user of the packet 
relay processing apparatus desires to validate, namely, 
the normal or the exceptional group is turned on. In 
this way, the normal and the exceptional policies can 
be easily turned on/off for each group. 

Next, a third modification is described. By 
applying the third modification to the third to the fifth 
preferred embodiments, a packet log may be recorded. 
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To implement this, according to the third modification, 
session data and a policy, which are stored in the 
session table 22a' and the policy table 25 in Figs. 14 
and 15, and 22 to 25, further include as entries event 
flags . 

The event flags include an event flag for a packet, 
and an event flag for a header. If the event flag for 
a packet is ON (1), the packet is transferred to the 
server to record a log (history) . If the event flag for 
a header is ON, the header of the packet is transferred 
to the server 11 to record a log. The server 11 analyzes 
the transferred packet or the header of the packet, and 
records a log. As a result, information helpful for 
restoring a system from a fault can be obtained by 
analyzing a recorded log with network administration 
software, for example, when the fault occurs in the 
system. 

Next, a fourth modification is explained. 
According to the fourth modification, the network 
connecting devices 20 according to the first to the fifth 
preferred embodiments further comprise a counter (not 
shown) in order to obtain statistical information of 
a packet. The network controlling unit 12 or the service 
controlling unit 14 within the server 11 references the 
value of the counter. For example, the numbers of input 
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and output packets for each interface are considered 
as statistical information. The statistical 
information may be used when billing a client. 

Furthermore, in the third to the fifth preferred 
embodiments, the number of sessions to which a policy 
is applied, namely, the number of policy hits, which 
is the number of times that a policy hits may be further 
obtained as statistical information for each policy 
stored in the policy table 25. 

To implement this, according to the fourth 
modification, each policy stored in the policy table 
25 further includes the number of policy hits as an entry 
as shown in Fig. 15. When the session managing unit 22 
references the policy table 25 to obtain a policy to 
be applied in order to register the session data of a 
new session to the session table 22a f , the counter 
increments the number of policy hits of the obtained 
policy. In this way, a network administrator can obtain 
the information for determining whether or not a policy 
is effectively used. 

Furthermore, in the third to the fifth preferred 
embodiments, the number of distribution destination 
hits, which indicates the number of times that a session 
is distributed, may be further obtained as statistical 
information for each distribution destination server 



in the load balancing service. 

To implement this, each policy for the load 
balancing service, which is stored in the policy table 
25 shown in Fig. 15 or the policy table for details 
analysis shown in Fig. 27, further includes as an entry 
the number of distribution destination hits for each 
distribution destination server address. Each time the 
service processing unit 27 or the packet details 
analyzing unit 16 performs a process for determining 
a distribution destination server in a session, the 
counter increments the number of distribution 
destination hits, which corresponds to the server 
determined as a distribution destination server. In this 
way, a network administrator can obtain the information 
for determining whether or not a load balancing method 
effectively runs. 

Programs describing the processes performed by 
the units that configure the network connecting device 
20 and the server 11, which are explained in the above 
described preferred embodiments, are recorded in a 
memory such as a RAM (Random Access Memory) , a ROM (Read 
Only Memory), etc. These programs may be arranged as 
hardware or software in the packet relay processing 
apparatuses . 

This case is explained below. 
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Fig. 37 shows the configuration of a computer 
(information processing device) . As shown in this figure, 
a computer 4 0 comprises at least a CPU 41, and a memory 

42. The computer 40 may further comprise an input device 

43, an output device 44, an external storage device 45, 
a medium driving device 46, and a network interface 47. 
These devices are interconnected by a bus 48. 

The memory 42 includes, for example, a ROM, a RAM, 
etc., and stores a program and data, which are used for 
processes. The CPU 41 performs necessary processes by 
executing the program with the memory 42. 

To make two or more computers 4 0 implement the 
capabilities corresponding to the server 11 and the 
network connecting device 20, which configure a packet 
relay processing apparatus, programs describing the 
processes performed by the respective units that 
configure the packet relay processing apparatus shown 
in Figs. 3, 11, 13, 19, and 21 are prepared. Then, the 
program describing the processes performed by the units 
that the server 11 comprises (hereinafter referred to 
as a program for the server 11) is stored in a particular 
program code segment of the memory 42 within the computer 
to implement the server 11. 

In addition, the program describing the processes 
performed by the units that the network connecting 



device 20 comprises (hereinafter referred to as a 
program for the network connecting device 20) is stored 
in a particular program code segment of the memory 42 
within the computer to implement the network connecting 
device 20. Here, the CPU of the computer to implement 
the network connecting device 2 0 is, for example, a 
network processor. The processes performed by the above 
described units are earlier explained with the 
flowcharts . 

The input device 43 is, for example, a keyboard, 
a pointing device, a touch panel, etc., and is used to 
input an instruction or information from a user or other 
computers, etc. The output device 44 is, for example, 
a display, a printer, etc., and is used to output an 
inquiry to a user of the computer 40., a process result, 
etc. 

The external storage device 45 is, for example, 
a magnetic disk device, an optical disk device, a 
magneto-optical disk device, etc. The above described 
programs and data are stored in the external storage 
device 45, and may be used by being loaded into the memory 
42 on demand. 

The medium driving device 4 6 drives a portable 
storage medium 49, and accesses its recorded contents. 
As the portable storage medium 49, an arbitrary 



computer-readable storage medium such as a memory card, 
a memory stick, a flexible disk, a CD-ROM (Compact 
Disc-Read Only Memory) , an optical disk, a 
magneto-optical disk, a DVD (Digital Versatile Disk) , 
etc. is used. The above described programs and data are 
stored onto the portable storage medium 49, and may be 
used by being loaded into the memory 42 on demand. 

The network interface 47 communicates with an 
external device via an arbitrary network (line) such 
as ,a LAN, a WAN, etc., and performs data conversion 
accompanying a communication. Additionally, the 
network interface 47 receives the above described 
programs and data from an external device, and the 
program and data can be used by being loaded into the 
memory 42 on demand. 

Fig. 38 explains a computer-readable storage 
medium and a transmission signal, which can provide 
programs and data to the computer shown in Fig. 37. 

By providing the above described programs and data 
stored in the tables to computers to respectively 
implement the server 11 and the network connecting 
device 20 with a storage medium, etc., two or more 
computers are enabled to implement the capabilities 
corresponding to a packet relay processing apparatus. 

To implement this, the above described programs 
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and data are prestored in the computer-readable storage 
medium 4 9. As shown in Fig. 38, a computer to implement 
the server 11 is made to read the program for the server 
11, etc. from the portable storage medium 49 with the 
medium driving device 4 6, the program, etc. are once 
stored in the memory 42 or the external storage device 
45 of the computer (server 11) , and the CPU 41 comprised 
by the computer (server 11) is made to read and execute 
the stored program. 

Similarly, the program for the network connecting 
device 20, etc. are read from the portable storage medium 
49, once stored in the memory 42, etc. of the computer 
to implement the network connecting device 20, and the 
CPU 41 comprised by the computer (network connecting 
device 20) is made to read and execute the stored 
program. 

Additionally, the programs may be respectively 
downloaded from a DB 50, which is possessed by a program 
(data) provider, into the computers to implement the 
server 11 and the network connecting device 20 via a 
communications line (network) 51 instead of making the 
computers read the programs, etc. from the storage 
medium 49. In this case, for example, a computer that 
comprises the DB 50 and transmits the programs converts 
the above described programs and data into program and 



91 



data signals, obtains transmission signals by 
modulating the converted program and data signals with 
a modem, and outputs the obtained transmission signals 
to the communications line 51 (transmission medium) . 
The computers that receive the programs obtain the 
program and data signals by demodulating the received 
transmission signals with a modem, and further obtain 
the programs and data by converting the obtained program 
and data signals. 

Next, loading of the programs and data into the 
computers to implement the server 11 and the network 
connecting device 20 are explained in detail by citing 
an example with reference to Fig. 39. 

As shown in this figure, the computers to 
implement the server 11 and the network connecting 
device 20, which respectively comprise a CPU and a memory, 
are interconnected by the above described control 
information communicating unit 31. For example, if the 
control information communicating unit 31 is a PCI bus, 
the network connecting device may be implemented as a 
NIC (Network Interface Card) for PCI. 

For instance, if there is a storage medium on which 
is recorded the programs, etc. (firmware) for the server 
11 and the network connecting device 20, the programs 
for the server 11 and the network connecting device 20, 
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etc. are loaded from the storage medium into the memory 
of the server 11 by using a medium driving device which 
is comprised by the computer to implement the server 
11 and is not shown (arrow A41) . Then, the program for 
the network connecting device 20, etc. , which are stored 
in the memory of the server 11, are loaded into the memory 
of the network connecting device 20 via the control 
information communicating unit 31 (arrow A42) . In this 
way, the necessary programs, etc. can be provided to 
the computers to implement the server 11 and the network 
connecting device 20. The CPU of the server 11 executes 
the program for the server 11, which is loaded into the 
memory of the server 11, whereas the CPU of the network 
connecting device 2 0 executes the program for the 
network connecting device 20, which is loaded into the 
memory of the network connecting device 20. 

Needless to say, the programs, etc. may be 
prestored onto a ROM, etc. instead of being loaded from 
a storage medium as described above. Additionally, the 
programs, etc. may be provided to the computer to 
implement the server 11 by using transmission signals 
instead of a storage medium. 

Furthermore, the respective units, which 
configure the network connecting device 20, may be 
configured as hardware by using an ASIC (Application 
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Specific Integrated Circuit) in place of the CPU in the 
network connecting device 20. 

As described above, according to the present 
invention, the following effects can be obtained. 
5 (1) A packet relay processing unit based on session 

management is arranged in a network connecting device, 
which is made to perform a relay process based on the 
session management, thereby reducing the CPU use ratio 
of the server. Additionally, in the network connecting 

10 device, session management is made, and an output 

destination is registered to a session table at the start 
of a session, whereby the consistency of a session 
currently being continued can be maintained, even if 
a routing table is changed during the session. 

15 (2} An external session managing unit is arranged in 

the server of the packet relay processing apparatus, 
and the network connecting device transfers session 
information to the server, which then makes session 
management. As a result, a session which overflows in 

20 the network connecting device can be managed by the 

server, even if the number of sessions exceeds the number 
registered to the session table. 

(3) A process distributing unit and a plurality of 
service processing units are arranged in a network 
25 connecting device which can perform a process faster 
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than a server, thereby reducing the CPU use ratio of 
the server, and speeding up a service process. 
(4) An external service processing unit is arranged 
in a server, and both a network connecting device and 
5 the server are enabled to execute a service process. 

Consequently, a service process that is difficult to 
be implemented by the network connecting device can be 
executed by the server, and the network connecting 
device performs a relay process based on the contents 

10 of a determined service, whereby a service process can 

be executed faster than in the case where the server 
performs all of service processes. 

While the invention has been described with 
reference to the preferred embodiments thereof, various 

15 modifications and changes may be made to those skilled 

in the art without departing from the true spirit and 
scope of the invention as defined by the claims thereof. 



